Channels

Services

Another security vulnerability in Skype VoIP client

Skype has fixed a security vulnerability in its SkypeFind feature, which attackers could have used to execute JavaScript on Windows PCs. As with holes discovered in Skype in January, the problem is caused by the Windows client displaying external web pages using Internet Explorer's rendering engine and JS/ActiveX API in the local zone context, giving it the full privileges of the logged-on user.

SkypeFind is used to find businesses and services recommended by other Skype users. The client fails to filter the name of the recommended contact properly, and JavaScript inserted into the name field is executed when viewed in the victim's client. The vulnerability was discovered by Israeli security specialist Aviv Raff, who found previous flaws in the software. It is not clear how Skype has closed this hole, but it is the company says it is unnecessary to update the client. Skype is still working on a patch to fix the actual cross-zone scripting problem, so its "Add video to chat" feature remains disabled.